“Your company profits from collecting highly sensitive personal information from American consumers — it should take seriously its responsibility to keep data safe and to inform consumers when its protections fail,” wrote the 24 members of Congress in the letter.

Among the many questions asked by the group (paraphrased):

What exactly was the vulnerability, specifically, and how has it been addressed?

What security practices, including audits, intrusion monitoring and other controls, are in place?

Has the company stepped up its security game after other breaches to its networks?

Why did it take four months to detect and a month to announce this breach?